Skip to main content
OJS for Everyone Logo
OJS for EveryoneThe Practical GuidebookRSYN Research LLP

Users & Roles

Questions about managing accounts, access control, notifications, and permissions for all roles in OJS.

How do I prevent users from self-registering?โ€‹

OJS allows self-registration by default for most roles. To restrict or disable it:

Restrict self-registration to specific roles:

  1. Go to Users & Roles โ†’ Roles.
  2. Find the role you want to restrict (e.g. Reviewer) and click Edit.
  3. Uncheck "Allow user self-registration" and save.

Repeat for any role you want to restrict. Users can still register but will not be offered that role at sign-up.

Disable all self-registration:

  1. Go to Users & Roles โ†’ Site Access Options.
  2. Select "Journal managers will register all user accounts".
  3. Save. The registration form will no longer be accessible to the public.
tip

If you only want to control which roles are self-assignable (rather than banning registration entirely), restricting individual roles is more flexible than disabling all registration.

I forgot my password โ€” how do I reset it?โ€‹

From the OJS login page:

  1. Click "Forgot your password?" below the login form.
  2. Enter your registered email address and submit.
  3. OJS sends a password reset link to that address โ€” valid for a limited time.
  4. Click the link in the email, set a new password, and log in.

If the reset email does not arrive within a few minutes, check your spam or junk folder โ€” emails from OJS installations on shared hosting are sometimes filtered. If you still cannot find it, contact the journal manager, who can reset your password manually (see the next question).

A user can't reset their password โ€” what should I do?โ€‹

As a Journal Manager, you can set a new password on behalf of any user registered on your journal:

  1. Go to Users & Roles โ†’ Users.
  2. Search for the user and click the blue disclosure triangle next to their name.
  3. Select Edit User.
  4. Enter a new temporary password in the password field and save.
  5. Notify the user of their temporary password out-of-band (phone, direct email) and ask them to change it on first login.

Also check that the user is looking in the correct email inbox and spam folder โ€” password reset emails are commonly filtered.

info

For Site Administrator password recovery (when you cannot log into the site at all), see How do I recover the Site Administrator password? below.

Why am I redirected back to the login page after logging in?โ€‹

This almost always means browser cookies are blocked. OJS uses a session cookie to maintain your logged-in state. If cookies are disabled or blocked by a browser privacy extension, each page load appears as a new unauthenticated request and you are immediately redirected back to login.

To fix this:

  • Confirm cookies are enabled in your browser settings.
  • If you use a privacy extension (uBlock Origin, Privacy Badger, etc.), add your journal's domain to the extension's allowlist.
  • Try logging in using a different browser or a private/incognito window (which uses default settings without extensions) to confirm the cause.

If the problem persists across all browsers, there may be a server-side session configuration issue โ€” check that PHP session.save_path is writable and that your server is not sending conflicting cookie domains.

How do I turn off email notifications?โ€‹

Each OJS user controls their own notification preferences:

  1. Log in and click your username (top right) to open your profile.
  2. Go to the Notifications tab.
  3. Configure which events trigger email notifications versus in-app-only notifications (or no notification at all).

Available notification categories include: new announcements, discussion replies, editorial decisions (for authors), new submissions (for editors), and review assignments (for reviewers).

info

Journal Managers cannot bulk-configure notification preferences on behalf of users. Each user must update their own settings. Consider including notification setup instructions in your onboarding communications for new editors and reviewers.

Why am I getting "You don't have access to that stage of the workflow"?โ€‹

There are three common causes:

  1. Your role does not include access to that stage โ€” Each workflow stage (Submission, Review, Copyediting, Production) has a configurable list of permitted roles. Check Users & Roles โ†’ Roles and confirm your role has the relevant stage permissions enabled.
  2. Your role settings were recently changed โ€” If a Journal Manager updated role permissions after your account was created, you may need to log out and back in for the changes to take effect.
  3. You are assigned as both editor and reviewer on the same submission โ€” OJS can get confused when one person holds both roles on a single submission. In this case, access the submission directly via its URL ([site]/workflow/index/[submissionId]/[stageId]) rather than through the dashboard.

If the issue persists, ask a Journal Manager to review your role assignment on the specific submission via the Participants panel.

Why can't I delete a user's account?โ€‹

OJS intentionally does not include a "delete user" button. User accounts are linked to editorial history โ€” submissions, review assignments, decisions โ€” and deleting a user account would corrupt those records.

The correct approach is to merge the unwanted account into another account. Merging transfers any editorial history to the target account and deactivates the source account.

In the OJS interface:

  1. Go to Users & Roles โ†’ Users.
  2. Find the user, click the blue triangle, and select Merge User.
  3. Search for the account to merge into (e.g. a dedicated "deleted user" dummy account) and confirm.

From the command line (faster for bulk cleanup):

php tools/mergeUsers.php [username-to-remove] [target-username]
tip

Create a dedicated inactive account (e.g. deleted@yourjournal.org) to serve as the merge target for unwanted accounts. This keeps editorial history intact while effectively disabling the original accounts.

Why can't I edit a user?โ€‹

On multi-journal installations, Journal Managers can only edit users who were originally created under their journal. If a user registered on a different journal on the same OJS instance, you will see their account but the Edit option may be restricted or unavailable.

In this case, the options are:

  • Ask the user to update their own profile.
  • Ask the Site Administrator to edit the account, since site admins have unrestricted access to all users across all journals.

This is a deliberate privacy boundary: Journal A's manager cannot modify the profile of a user who belongs to Journal B.

How do I send a message to all users?โ€‹

OJS does not include a direct "broadcast email" tool, but there are two effective approaches:

Announcements (recommended):

  • Create an announcement under Settings โ†’ Website โ†’ Announcements.
  • Check the option to "Send notification email to all registered users" when saving.
  • The announcement appears on the journal homepage and is emailed to all users who have not opted out of announcement notifications.

Notify by Role (OJS 3.3+):

  • From the Users & Roles โ†’ Users list, filter by role.
  • Select all users in that role and use the Notify action to send a message to the selected group.
warning

Mass emails should be used sparingly. Frequent unsolicited emails encourage users to opt out of all notifications, reducing the reach of important future communications.

What can I do about spam or fake user accounts?โ€‹

Spam and bot registrations are a common nuisance. A layered approach works best:

  1. Enable reCAPTCHA โ€” In Administration โ†’ Site Settings, configure a Google reCAPTCHA key. This significantly reduces automated bot registrations.
  2. Moderate new registrations โ€” Set registration to require Journal Manager approval before accounts are activated (via Users & Roles โ†’ Site Access Options).
  3. Merge and disable fake accounts โ€” Use the Merge Users tool (or tools/mergeUsers.php from the command line) to bulk-deactivate fake accounts by merging them into a dummy target.
  4. Review registration emails โ€” Many spam accounts use obviously disposable email domains. Spotting these early reduces cleanup later.
info

The PKP Admin Guide on Managing Spam provides detailed guidance on reCAPTCHA setup and other anti-spam measures.

How do I add another Site Administrator?โ€‹

OJS does not provide a UI for granting site administrator privileges โ€” this must be done at the database level. The steps are:

  1. Find the user_id of the user you want to promote by looking up their account in the users table.
  2. Find the user_group_id for the Site Administrator group โ€” typically the group where role_id = 1 in the user_groups table.
  3. Insert a new row into the user_user_groups table:
INSERT INTO user_user_groups (user_id, user_group_id)
VALUES ([user_id], [admin_user_group_id]);

After the insert, the user should be able to access the Administration panel on their next login. Always back up your database before making direct changes.

warning

Direct database modification carries risk. Double-check your values before executing and test in a staging environment if possible.

How do I recover the Site Administrator password?โ€‹

If you can no longer log in as a site administrator and the forgot-password email flow is unavailable (e.g. email is misconfigured), use the database to recover access:

Option 1 โ€” Update the email address and use the reset flow (recommended):

UPDATE users
SET email = '[accessible_email@example.com]'
WHERE username = '[admin_username]';

Then use the standard "Forgot your password?" flow on the login page. After regaining access, restore the original email address within OJS.

Option 2 โ€” Reset the password hash directly:

OJS stores passwords as hashed values. The exact hashing algorithm depends on your OJS version โ€” check the [security] section of config.inc.php for the default_algo setting (commonly bcrypt in OJS 3.3+, or sha1 in older versions). Consult the PKP Admin Guide or the PKP Community Forum for the correct query for your specific version, as using the wrong algorithm will prevent login.

Security

After recovering access, immediately change the password to a strong value from within OJS and restore the correct email address if you changed it temporarily. Review recent administrative actions for signs of unauthorised access.

Preferred approach

Option 1 (email update + reset link) is safer and does not require knowledge of the hashing algorithm. Use Option 2 only if email delivery is completely unavailable.

Further Readingโ€‹